Contact: Ryan Kriger, Assistant Attorney General, (802) 828-3171
Vermont Attorney General T.J. Donovan and 29 other attorneys general filed a settlement today that requires Premera Blue Cross, the largest health insurance company in the Pacific Northwest, to pay $10 million total over its failure to secure sensitive consumer data. Premera’s insufficient data security exposed the protected health information and personal information of over 3,000 Vermonters, and more than 10.4 million consumers nationwide, to a hacker.
Under the settlement, Premera will pay $10 million total to the 30 states, $16,000 of which will go to Vermont. The company is also required to implement specific data security controls intended to protect personal health information, annually review its security practices, and provide data security reports to the attorneys general.
“Vermont has been very active in making sure that businesses focus on data security. This was a major and egregious data breach, which we take very seriously,” said Attorney General Donovan.
In today’s complaint, Attorney General Donovan asserts that the company failed to meet its obligations under the federal Health Insurance Portability and Accountability Act (HIPAA) and violated Vermont’s consumer protection act by not addressing known cybersecurity vulnerabilities that gave a hacker unrestricted access to protected health information for over a year—including private health information, Social Security numbers, bank account information, names, addresses, phone numbers, dates of birth, member identification numbers, and email addresses.
The complaint asserts that Premera was warned repeatedly of its inadequate security program, but did not fix its practices. Further, in the aftermath of the data breach, Premera misled consumers about its privacy practices and told consumers there was “no reason to believe that any of [their] information was accessed or misused.”
More information about Attorney General Donovan’s efforts to protect consumers and address data breaches can be found at https://ago.vermont.gov/privacy-data-security/.
Last modified: July 11, 2019